Sonatype flags log4j as vulnerable
Closed this issue · 1 comments
sstults commented
Java version: 12.0.2, vendor: Oracle
Apache Maven 3.6.0
The build generates this message:
[ERROR] Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.0.4:audit (audit-dependencies) on project quaerite-core: Detected 1 vulnerable components:
[ERROR] log4j:log4j:jar:1.2.17:compile; https://ossindex.sonatype.org/component/pkg:maven/log4j/log4j@1.2.17?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
[ERROR] * [CVE-2020-9488] Improper validation of certificate with host mismatch in Apache Log4j SMTP appen... (3.7); https://ossindex.sonatype.org/vulnerability/d3477f9c-032a-44a7-a5e1-02ae35e4737c?component-type=maven&component-name=log4j.log4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
[ERROR] * [CVE-2019-17571] Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserializat... (9.8); https://ossindex.sonatype.org/vulnerability/e6e4ebea-da12-4bde-8f24-6272925ad093?component-type=maven&component-name=log4j.log4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
tballison commented
Upgrade to 2.15.0 coming soon